CN101827104A

Movatterモバイル変換

Info

Publication number: CN101827104A
Application number: CN201010158969A
Authority: CN
Inventors: 徐小龙; 程春玲; 赵昌耀; 熊婧夷; 柴倩; 杨宝春; 钱建屹
Original assignee: Nanjing Post and Telecommunication University
Current assignee: Nanjing Post and Telecommunication University
Priority date: 2010-04-27
Filing date: 2010-04-27
Publication date: 2010-09-08
Anticipated expiration: 2030-04-27
Also published as: CN101827104B

Abstract

基于多反病毒引擎的网络病毒联合防御方法主要是利用云计算中的集群服务器集成多种反病毒引擎来协助甚至代替用户终端来防御网络病毒，使得网络系统能更快速、有效地抵御网络病毒的攻击。目前网络上的病毒传播、感染和攻击问题日益严重，防御网络病毒的主要手段是依靠的反病毒软件。本发明提出一种既可适用于在互联网也适用于内联网的基于多反病毒引擎的网络病毒联合防御方法。该方法首先在云计算集群服务器端上部署多种反病毒引擎，不同的反病毒引擎分别侧重于不同类型的网络病毒；将服务器按照其上安装的引擎将服务器集群分为多个防御区域，另外选择一个服务器节点作为用户终端接入集群服务器的门户节点。

The network virus joint defense method based on multiple anti-virus engines mainly uses the cluster server in cloud computing to integrate multiple anti-virus engines to assist or even replace user terminals to defend against network viruses, so that the network system can resist network viruses more quickly and effectively. attack. At present, the problem of virus transmission, infection and attack on the network is becoming more and more serious. The main means of defense against network viruses is to rely on anti-virus software. The invention proposes a network virus joint defense method based on multiple antivirus engines, which is applicable to both the Internet and the intranet. The method firstly deploys multiple anti-virus engines on the server side of the cloud computing cluster, and different anti-virus engines focus on different types of network viruses respectively; divide the server cluster into multiple defense areas according to the engines installed on the server, and in addition Select a server node as the portal node for the user terminal to access the cluster server.

Description

A kind of internet worm Alliance Defense method based on many anti-virus engine

Technical field

The present invention is a kind of being used in the network computing environment based on the Internet or Intranet, improves the defensive ability/resistance ability of each host node to internet worm, adoptable a kind of internet worm Alliance Defense method based on many anti-virus engine.Present technique belongs to the interleaving techniques application of Distributed Calculation, information security, computer network and computer software.

Background technology

Internet worm comprises computer virus, network worm, back door wooden horse, spy's part etc., and resource-sharing that network is outstanding and communication function provide natural hotbed for propagation, infection and the destruction of internet worm.By network particularly the internet worm propagated of the Internet and application system thereof, involve that scope is big, broad covered area, just can cause at short notice that network congestion even paralysis, shared resource are lost, confidential information is had things stolen, thereby cause tremendous loss.

The main means of defending against network virus are to rely on patch system leak (being patch installing) and anti-viral software or anti-viral software at present.Anti-viral software integrated real-time monitoring identification usually, virus scan and functions such as removing, auto-update and data recovery have become the computer and network system of defense important component part of (also comprising fire compartment wall, intrusion detection, intrusion prevention system etc.).

But present anti-viral software is at first will find and confirm an internet worm substantially, and then takes precautions against, and exists a series of problems:

(1) can't handle increasing rogue program effectively, most of anti-viral software is manufacturing and the propagation that lags behind internet worm, and the feature database diagnostic method of the most normal employing at present is obviously out-of-date;

(2) the rogue program defence policies of the most normal employing at present mainly is simple multimachine defence, and the anti-viral software of cover identification and killing rogue program promptly is installed on every computer, mainly relies on the virus base in the local hard drive, and is weak in strength;

(3) kind of anti-viral software is many at present, emphasis is had nothing in common with each other, even from the progressive fixed point gateway virus killing of single-point defence, but a cover anti-viral software only is installed generally on the gateway of responsible defence or the computer, therefore usually is difficult to effectively defend diverse network virus to network level;

(4) internet worm of attacking anti-viral software in recent years is also more and more, even present most of anti-viral software all has the self-protection function, but still has internet worm can shield the process of anti-viral software now, causes its paralysis and can't protect main frame.

At serious day by day internet worm propagation, infection and attack problem, the present invention proposes a kind of both applicable to the internet worm Alliance Defense method based on many anti-virus engine that also is applicable to Intranet in the Internet.

Summary of the invention

Technical problem: virus propagation, infection and the attack problem on the network is serious day by day at present, and the main means of defending against network virus are the anti-viral softwares that relies on.Yet present anti-viral software exists hysteresis quality and a series of problems such as incomprehensive, causes its effectively defending against network virus.Various anti-virus engine side emphasis differences exist complementary.The present invention proposes a kind of both applicable to the internet worm Alliance Defense method based on many anti-virus engine that also is applicable to Intranet in the Internet.

Technical scheme: it is a kind of that the present invention proposes mainly had been to utilize the integrated multiple anti-virus engine of cluster server in the cloud computing to assist even replace user terminal to come defending against network virus applicable to the internet worm Alliance Defense method based on many anti-virus engine that also is applicable to Intranet in the Internet both, made network system can resist the attack of internet worm more quickly and efficiently.

Cloud computing is distributed in calculation task on the cluster server resource pool of a large amount of computers formations, make various application systems can obtain required service as required, generally possess following 3 characteristic features: the hardware infrastructure framework is on large-scale low-cost server cluster; Application program and the exploitation of bottom service collaboration maximally utilise resource; By the redundancy between a plurality of low-cost servers, use software to obtain high availability.The network application system that employing makes up based on the cloud computing technology of the computer cluster of high performance-price ratio, can come operational network application program and network service by the powerful server cluster of network function of use, any one user can obtain the network service of high performance-price ratio by suitable internet access facility.

The internet worm problem that the present invention utilizes the cloud computing framework to solve in the network has embodied new approaches that ensure information security cybertimes, and it has merged emerging technology and notions such as associated treatment, Distributed Calculation, data mining.

At first at the multiple anti-virus engine of cloud computing cluster server end deploy, different anti-virus engines lay particular emphasis on networks of different type virus respectively to this method; Server is divided into a plurality of defence zone according to the engine of installing on it with server cluster, selects a server node to insert the door node of cluster server as user terminal in addition;

The major function of server end is that the Internet resources that the user asks for are detected filtration, virus sweep and system upgrade by many anti-virus engine, when user terminal obtained network by networking client software, the anti-virus engine of reliance server end replaced own defending against network virus.

The Alliance Defense method may further comprise the steps:

Step 1. user terminal at first mails to network resources address the door node of cluster server end,

Harmful resources bank in a continual renovation of cluster server end maintenance has comprised relevant informations such as malicious websites, malice file; If the system discovery user wishes that the resource address that obtains is comprised in harmful resources bank, send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource; , the user finishes this session if abandoning; If the user selects to continue to obtain this resource, or this resource address does not have danger, then changes step over to 2.;

Step is the system server website that visit is correlated with according to resource address 2.,

Step 3. system server is obtained the network of relation resource,

Step 4. system server terminal is carried out the parallel detection of many anti-virus engine to resource at once after getting access to Internet resources, soon resource is dispatched to simultaneously on the regional server node of a plurality of defence and detects; If the server node in these defence zones all detects this resource without any safety problem, be about to resource and be sent to user's reception; If wherein at least one regional server node detects this resource and has safety problem, as has comprised internet worms such as worm, wooden horse, then send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource;

, the user finishes this session if abandoning; If the user selects to continue to obtain this resource, then attempt removing the internet worm in the resource, then clean resource is sent to the user if remove successfully, if server can't be removed, then submit to virus to report to the viral report database of server end at once, leave the relevant unit that is responsible for solution internet worm problem for and analyze solution, simultaneously information such as this resource address are write in harmful resources bank, and inquire once more whether the user determines to receive this resource; , the user finishes this session if abandoning; If the user selects to continue to obtain this resource, then this resource is sent to this user, and give the alarm to other user terminal of system.

No longer only rely on virus base in the user terminal local hard drive based on identification and killing virus in the internet worm Alliance Defense method of many anti-virus engine, but rely on huge system for cloud computing service, gather in real time, analyze, the whole upgrading fast of processing and network system, the internet worm that constantly occurs with collaborative antagonism.Whole network has just formed huge " an internet worm Alliance Defense system ", and server end is responsible for assisting even is replaced user terminal to concentrate defending against network virus.

At the cluster server end deploy multiclass anti-viral software or the multiple anti-virus engine of cloud computing system, different anti-viral softwares or engine lay particular emphasis on various rogue programs such as wooden horse, virus, worm, spy's part, recreation steal-number or password theft program respectively.Cluster server is divided into a plurality of defence zones according to the engine of installing on it with server cluster.Select a server node to insert the door node of cluster server as user terminal in addition.Also corresponding anti-viral software can be installed independently on the user terminal computer, therefore the difference according to the anti-viral software of being installed also is divided into user terminal computer a plurality of Virtual Organization.Sometimes, user terminal computer can be installed a plurality of anti-viral softwares that do not conflict mutually; Also can select not install any anti-viral software, the defense work that is about to internet worm is transferred to server fully and is brought in and finish.

The major function of server end is that Internet resources are detected filtration, virus sweep and system upgrade by many anti-virus engine, in addition, also need catch the virus report of submitting to analysis user; The user terminal of enormous amount can be to the rogue program that occurs on the Internet, and there is the sensitiveest perception dangerous website, so its major function is in time the internet worm of discovery or the abnormal conditions of system to be submitted to server end.

Beneficial effect: the internet worm Alliance Defense method based on many anti-virus engine of the present invention can reach following beneficial effect:

(1) internet worm is defendd more comprehensively, and systems approach effectively forms and has complementary advantages each viroid in the more effective solution network by at the integrated many anti-virus engine of server end

(2) alleviated the burden of user side, the user side poison defence software that can uneasiness pretends to be sick just can be surfed the Net and obtained resource.

(3) the anti-virus system upgrade is more prone to, and can improve the virus defense ability of network system by the Antivirus program of concentrating the upgrade server end.

Description of drawings

Fig. 1 is a cluster server subregion schematic diagram.

Fig. 2 is based on the internet worm Alliance Defense method workflow schematic diagram of many anti-virus engine.

Embodiment

Key based on the internet worm Alliance Defense method of many anti-virus engine is at cloud computing cluster server end deploy multiclass anti-viral software or multiple anti-virus engine, and different anti-viral softwares or engine lay particular emphasis on various rogue programs such as wooden horse, virus, worm, spy's part, recreation steal-number or password theft program respectively.

1, cluster server subregion

Suppose this 5 cover anti-virus engine of existing A, B, C, D and E, server is divided into A, B, C, D, 5 defence zones of E according to the anti-virus engine of installing on it with server cluster, as shown in Figure 1.Select a server node to insert the door node of cluster server as user terminal in addition.

2, user terminal computer grouping

Also corresponding anti-viral software can be installed independently on the user terminal computer of cloud computing environment, therefore the difference according to the anti-viral software of being installed also is divided into user terminal computer a plurality of Virtual Organization, the user of the purpose different grouping of grouping can corresponding different subregions cluster server, be responsible for renewal user terminal anti-viral software by the server of the identical anti-virus engine of the employing of correspondence.User terminal also can select not install any anti-viral software, and the defense work that is about to internet worm is transferred to server fully and brought in and finish.

The major function of server end is that Internet resources are detected filtration, virus sweep and system upgrade by many anti-virus engine, in addition, also need catch the virus report of submitting to analysis user; The rogue program of the user terminal of enormous amount to occurring on the Internet, there is the sensitiveest perception dangerous website, so its major function is in time the internet worm or the abnormal conditions of system found to be submitted to server end and other user terminal.Particularly the accessing user terminal to network according to anti-viral software does not pass through browser, FTP (File Transfer Protocol in this locality when user terminal, file transfer protocol (FTP)) or P2P (Peer-to-Peer computing, equity is calculated) etc. client software when obtaining various resource such as webpage, video, software, anti-virus engine that can the reliance server end replaces own defending against network virus, system can be according to following works, as shown in Figure 2:

1. user terminal at first mails to resource address such as the URL of Internet resources (Uniform Resource Locator, URL(uniform resource locator) are used to specify the method for expressing of information position on the web services program) the door node of cluster server end.

Harmful resources bank in a continual renovation of cluster server end maintenance has comprised relevant informations such as malicious websites, malice file.If the system discovery user wishes that the resource address that obtains is comprised in harmful resources bank, send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource., the user finishes this session if abandoning; If the user selects to continue to obtain this resource, or this resource address does not have danger, then changes step over to 2..

2. system server is according to the relevant website of resource address visit, and 3. system server obtains the network of relation resource.

4. system server terminal is carried out the parallel detection of many anti-virus engine to resource at once after getting access to Internet resources, is about to detect on the server node that resource is dispatched to A, B, C, D, 5 defence zones of E simultaneously.If the server node in A, B, C, D, 5 defence zones of E all detects this resource without any safety problem, be about to resource and be sent to user's reception, 5. referring to the step among the figure; If wherein at least one regional server node detects this resource and has safety problem, as has comprised internet worms such as worm, wooden horse, then send a warning information to the user at once, and whether the inquiry user determines will continue to obtain this resource.

, the user finishes this session if abandoning; If the user selects to continue to obtain this resource, then attempt removing the internet worm in the resource, successfully then clean resource is sent to user's (5.) if remove referring to the step among the figure, if server can't be removed, then submit to virus to report to the viral report database of server end at once, leave the relevant unit that is responsible for solution internet worm problem for and analyze solution, simultaneously information such as this resource address are write in harmful resources bank, and inquire once more whether the user determines to receive this resource., the user finishes this session if abandoning; If the user selects to continue to obtain this resource, then this resource is sent to this user (5.), and give the alarm to other user terminal of system referring to the step among the figure.

Particularly, the mode that this method can software realizes.For the software systems that make this method of application have general applicability, promptly can either be applicable to server end, can be applicable to various clients again, internet worm Alliance Defense software systems based on many anti-virus engine should adopt the JAVA language with cross-platform characteristic to make up, and based on the Eclipse development platform, harmful resources bank that the cluster server end is safeguarded then adopts the MySQL Database Systems to realize.This software is made up of server end module and user side module.In order be simultaneously to wait service for a plurality of users provide virus detections, system must can support multi-user, Multi-task Concurrency operation, and server OS employing linux system, employing multithreading are implemented in and being connected of a plurality of user nodes.

Claims

1. internet worm Alliance Defense method based on many anti-virus engine is characterized in that at first at the multiple anti-virus engine of cloud computing cluster server end deploy, different anti-virus engines lay particular emphasis on networks of different type virus respectively; Server is divided into a plurality of defence zone according to the engine of installing on it with server cluster, selects a server node to insert the door node of cluster server as user terminal in addition;

The major function of server end is that the Internet resources that the user asks for are detected filtration, virus sweep and system upgrade by many anti-virus engine, when user terminal obtained network by networking client software, the anti-virus engine of reliance server end replaced own defending against network virus;

The Alliance Defense method may further comprise the steps:

Step 3. system server is obtained the network of relation resource,